[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Mon Jul 29 19:07:39 BST 2024
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
7595414d by Moritz Muehlenhoff at 2024-07-29T20:06:18+02:00
bookworm/bullseye triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -351,6 +351,8 @@ CVE-2024-41468 (Tenda FH1201 v1.2.0.14 was discovered to contain a command injec
NOT-FOR-US: Tenda
CVE-2024-40897 (Stack-based buffer overflow vulnerability exists in orcparse.c of ORC ...)
- orc 1:0.4.39-1
+ [bookworm] - orc <no-dsa> (Minor issue)
+ [bullseye] - orc <no-dsa> (Minor issue)
NOTE: https://gstreamer.freedesktop.org/security/sa-2024-0003.html
NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/orc/-/commit/fb7db9ae3e8ac271651d1884a3611d30bac04a98 (0.4.39)
CVE-2024-3938 (The "reset password" login page accepted an HTML injection via URL par ...)
@@ -418,15 +420,21 @@ CVE-2024-36111 (KubePi is a K8s panel. Starting in version 1.6.3 and prior to ve
NOT-FOR-US: KubePi
CVE-2024-29069 (In snapd versions prior to 2.62, snapd failed to properly check the de ...)
- snapd 2.62-1
+ [bookworm] - snapd <no-dsa> (Minor issue)
+ [bullseye] - snapd <no-dsa> (Minor issue)
NOTE: https://github.com/snapcore/snapd/pull/13682
CVE-2024-29068 (In snapd versions prior to 2.62, snapd failed to properly check the fi ...)
- snapd 2.62-1
+ [bookworm] - snapd <no-dsa> (Minor issue)
+ [bullseye] - snapd <no-dsa> (Minor issue)
NOTE: https://github.com/snapcore/snapd/commit/b66fee81606a1c05f965a876ccbaf44174194063 (2.62)
NOTE: https://github.com/snapcore/snapd/pull/13682
CVE-2024-28772 (IBM Security Directory Integrator 7.2.0 and IBM Security Verify Direct ...)
NOT-FOR-US: IBM
CVE-2024-1724 (In snapd versions prior to 2.62, when using AppArmor for enforcement o ...)
- snapd 2.62-1
+ [bookworm] - snapd <no-dsa> (Minor issue)
+ [bullseye] - snapd <no-dsa> (Minor issue)
NOTE: https://github.com/snapcore/snapd/commit/aa191f97713de8dc3ce3ac818539f0b976eb8ef6 (2.62)
NOTE: https://github.com/snapcore/snapd/pull/13689
NOTE: https://gld.mcphail.uk/posts/explaining-cve-2024-1724/
@@ -1437,6 +1445,8 @@ CVE-2024-41111 (Sliver is an open source cross-platform adversary emulation/red
NOT-FOR-US: Sliver
CVE-2024-40724 (Heap-based buffer overflow vulnerability in Assimp versions prior to 5 ...)
- assimp 5.4.2+ds-1
+ [bookworm] - assimp <no-dsa> (Minor issue)
+ [bullseye] - assimp <no-dsa> (Minor issue)
NOTE: https://github.com/assimp/assimp/commit/ddb74c2bbdee1565dda667e85f0c82a0588c8053 (v5.4.2)
CVE-2024-40642 (The netty incubator codec.bhttp is a java language binary http parser. ...)
TODO: check
@@ -2501,6 +2511,8 @@ CVE-2024-40631 (Plate media is an open source, rich-text editor for React. Edito
NOT-FOR-US: Plate media
CVE-2024-40630 (OpenImageIO is a toolset for reading, writing, and manipulating image ...)
- openimageio <unfixed> (bug #1076772)
+ [bookworm] - openimageio <no-dsa> (Minor issue)
+ [bullseye] - openimageio <no-dsa> (Minor issue)
NOTE: https://github.com/AcademySoftwareFoundation/OpenImageIO/security/advisories/GHSA-jjm9-9m4m-c8p2
NOTE: https://github.com/AcademySoftwareFoundation/OpenImageIO/commit/0a2dcb4cf2c3fd4825a146cd3ad929d9d8305ce3
CVE-2024-40627 (Fastapi OPA is an opensource fastapi middleware which includes auth fl ...)
@@ -4972,10 +4984,14 @@ CVE-2024-6580 (The /n software IPWorks SSH library SFTPServer component can be i
NOT-FOR-US: /n software IPWorks SSH library SFTPServer component
CVE-2024-6564 (Buffer overflow in "rcar_dev_init" due to using due to using untruste ...)
- arm-trusted-firmware <unfixed> (bug #1076042)
+ [bookworm] - arm-trusted-firmware <no-dsa> (Minor issue)
+ [bullseye] - arm-trusted-firmware <no-dsa> (Minor issue)
NOTE: https://github.com/renesas-rcar/arm-trusted-firmware/commit/c9fb3558410032d2660c7f3b7d4b87dec09fe2f2
NOTE: https://asrg.io/security-advisories/cve-2024-6564/
CVE-2024-6563 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') ...)
- arm-trusted-firmware <unfixed> (bug #1076042)
+ [bookworm] - arm-trusted-firmware <no-dsa> (Minor issue)
+ [bullseye] - arm-trusted-firmware <no-dsa> (Minor issue)
NOTE: https://github.com/renesas-rcar/arm-trusted-firmware/commit/235f85b654a031f7647e81b86fc8e4ffeb430164
NOTE: https://asrg.io/security-advisories/cve-2024-6563/
CVE-2024-6227 (A vulnerability in aimhubio/aim version 3.19.3 allows an attacker to c ...)
@@ -5175,13 +5191,19 @@ CVE-2024-6501 (A flaw was found in NetworkManager. When a system running Network
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2295734
CVE-2023-39329 (A flaw was found in OpenJPEG. A resource exhaustion can occur in the o ...)
- openjpeg2 <unfixed>
+ [bookworm] - openjpeg2 <no-dsa> (Minor issue)
+ [bullseye] - openjpeg2 <no-dsa> (Minor issue)
NOTE: https://github.com/uclouvain/openjpeg/issues/1474
CVE-2023-39328 (A vulnerability was found in OpenJPEG similar to CVE-2019-6988. This f ...)
- openjpeg2 <unfixed>
+ [bookworm] - openjpeg2 <no-dsa> (Minor issue)
+ [bullseye] - openjpeg2 <no-dsa> (Minor issue)
NOTE: https://github.com/uclouvain/openjpeg/issues/1471
NOTE: https://github.com/uclouvain/openjpeg/pull/1470
CVE-2023-39327 (A flaw was found in OpenJPEG. Maliciously constructed pictures can cau ...)
- openjpeg2 <unfixed>
+ [bookworm] - openjpeg2 <no-dsa> (Minor issue)
+ [bullseye] - openjpeg2 <no-dsa> (Minor issue)
NOTE: https://github.com/uclouvain/openjpeg/issues/1472
CVE-2024-6526 (A vulnerability classified as problematic has been found in CodeIgnite ...)
NOT-FOR-US: Ecommerce-CodeIgniter-Bootstrap
@@ -5280,6 +5302,7 @@ CVE-2024-39937 (supOS 5.0 allows api/image/download?fileName=../ directory trave
NOT-FOR-US: supOS
CVE-2024-39936 (An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2. ...)
- qt6-base <unfixed> (bug #1076292)
+ [bookworm] - qt6-base <no-dsa> (Minor issue)
- qtbase-opensource-src 5.15.13+dfsg-3 (bug #1076293)
[bookworm] - qtbase-opensource-src <no-dsa> (Minor issue)
[bullseye] - qtbase-opensource-src <no-dsa> (Minor issue)
@@ -6034,6 +6057,7 @@ CVE-2024-38513 (Fiber is an Express-inspired web framework written in Go A vulne
NOT-FOR-US: Fiber
CVE-2024-37298 (gorilla/schema converts structs to and from form values. Prior to vers ...)
- golang-github-gorilla-schema <unfixed> (bug #1075973)
+ [bookworm] - golang-github-gorilla-schema <no-dsa> (Minor issue)
NOTE: https://github.com/gorilla/schema/security/advisories/GHSA-3669-72x9-r9p3
NOTE: https://github.com/gorilla/schema/commit/cd59f2f12cbdfa9c06aa63e425d1fe4a806967ff (v1.4.1)
CVE-2024-37146 (Flowise is a drag & drop user interface to build a customized large la ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7595414d939947fa81010177b7e5e83e10512a39
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7595414d939947fa81010177b7e5e83e10512a39
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240729/4f26ba57/attachment.htm>
More information about the debian-security-tracker-commits
mailing list